Versions Compared

Old Version 1

changes.mady.by.user Dave Ryan

Saved on

compared with

New Version Current

changes.mady.by.user Dave Ryan

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

A statement of work (SoW) is a document issued to clients that states the background and activities agreed for delivery purposes. It can also include financial information about projects, if required. Once an SoW has been approved, it can be used to provision a corresponding project. SoWs can be defined as flexibility as required by the user via SoW Templates.

What

...

are projects and phases?

A project is a container for one or more phases. The project acts as a the top-level container for phases, findings, assets, examples and more. It can be used for once off engagements or as a way of tracking longer running engagements (e.g. regular test and iterative based testing).

...

The phase is where most of the actual work occurs, pre-report. Findings, assets and methodologies can all be worked on at the phase level. Once the phase, or phases, are complete, you can then create a report from the phases. A report can consist of one or multiple phases, which can also include re-test phases.

What is a finding?

What is an asset?

What is an example?

What is a reference?

What is a taxonomy?

What is a methodology?

...

Findings are where the majority of the test results are stored. This can include descriptions of the issue, evidence, recommendations and reference information. This is the core information stored by Canopy to help produce detailed reports. Findings can also be tracked by status (e.g. open, fixed), which can help with re-testing. Many other detailed fields are available on a finding, such as CVSS2 and CVSS3 fields, risk rating and much more. It is even possible to add custom fields via the Administration interface. The extensive base finding structure and the custom fields helps make findings a powerful way of dealing with many different types of assessments, ranging from a typical web application assessment to an ISO27001 gap analysis.

Additional details can be associated with findings, including:

  • Assets: an asset is a generic identifier, which can be a URL, IP, or even a file or binary reference ID. The asset relationship on a finding is used to track what asset a finding applies to. It's possible to view findings per asset also, which can help show the distribution of findings across different targets.
  • Examples: these are used to capture one or more examples of evidence from the assessment. This can include request/response data from a typical attack proxy (e.g. burp scanner data), images, long explanations of access control issues used text and images and so on. 
  • References and Taxonomies: these are used for adding references to a finding. Taxonomies are special reusable references. Canopy will include canned taxonomies within the 3.0 FINAL release (including ASVSv3)
  • Methodologies: it is possible to link a finding to a methodology item, which is useful for tracking progress on a methodology followed by your company (e.g. a web testing methodology, such as the OWASP Test Methodology)
Info

Port scan data is associated with the asset. It is considered lower level information than the finding itself. In Canopy 3.0, port scan data is imported from nmap only.

What are methodologies?

Methodologies are advanced checklists used to aid testers in tracking progress against a defined standard. This is a typical approach used by teams to help ensure a minimum baseline of testing occurs. It is possible to link methodologies and the knowledge base, along with findings, to help users write reports from the methodology - or automatically complete the methodology from the findings.

What is the knowledge base?

...

A SoW template is a document-based form used to create a common structure and reusable content for SoWs created and generated from the system. The SoW template structure is then mapped to a corresponding Word template, and is used to create SoW documents for issuing to customers. Once a SoW template has been created, it can be enabled and made accessible by other users.

And the other templates?

The other templates in the system are:

  • Tariffs: for storing pricing information for use within the SoWs
  • Taxonomies: for building custom taxonomies in order to reference specific information against findings. For example, one might use the ASVSv3 standard for reference purposes, or a customer secure coding standard; these could be used to pull stats from the system and (eventually) add those stats to pentest reports and periodic analytics reports.
  • Methodologies: for building methodologies (e.g. OWASP Testing Methodology v4)

What are tool importers?

The tool importers take data from a given source (e.g. burp, nessus, qualys), parses it and imports it into a defined Canopy structure. This helps normalise the data from multiple tools into a common data structure. Tool importers are shipped with Canopy, although users are free to extend, overwrite or create importers for their own needs.

For information on supported tools see TODO.